[Samba] use spnego question - samba 47 to samba48 migration
Kontrol-Suporte
suporte at kontrolsecurity.com.br
Sat Jun 23 21:21:23 UTC 2018
In Time.
Checking the services, folders and permissions, it seems samba48 does not follow exactly the same samba47 model.
When restarting samba47 by using "/usr/local/etc/rc.d/samba_server restart" I could see all three services being restarted (smbd, nmbd and winbind)
Now restarting samba48 I can see 2 services only (smbd and nmbd); The Winbind seems to be separated. I could not find any entry for winbind service restart under "rc.d/"
It's important to say that, the authentication is working fine with Kerberos/tickets - NTLM is the only failing.
Thanks,
Fabricio.
-----Original Message-----
From: Kontrol-Suporte <suporte at kontrolsecurity.com.br>
Sent: Saturday, June 23, 2018 5:05 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: RE: [Samba] use spnego question - samba 47 to samba48 migration
Hello Gentlemen.
OK, Tests were made. I got some errors only when using Samba48 (samba47 is still fine)
IMPORTANT: I forgot to mention... This is being used with SQUID Proxy for SSO authentication.
Got NTLMSSP neg_flags=0xa2088207
Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24 len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due to [{Access Denied} A process has requested access to an object but has not been granted those access rights.] GENSEC login failed: NT_STATUS_ACCESS_DENIED
I tried the new settings as suggested and also partial changes. Both are presenting the same behaviour. Nothing was changed in the AD side.
I also re-checked the permissions/ownership on "/var/db/samba4/winbindd_privileged" folder which is used by SQUID.
To Rowland: You asked if I really need the "min protocol = LANMAN2" option. Well, the idea was to enforce a minimum security level.
Any help will be very appreciated.
Regards
Fabricio.
-----Original Message-----
From: Kontrol-Suporte <suporte at kontrolsecurity.com.br>
Sent: Saturday, June 23, 2018 3:42 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: RE: [Samba] use spnego question - samba 47 to samba48 migration
Thanks everyone who replied to this thread.
I will try the new settings ASAP!
Thanks once again!
Fabricio.
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Saturday, June 23, 2018 8:13 AM
To: samba at lists.samba.org
Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration
On Fri, 22 Jun 2018 19:25:11 -0300
Kontrol-Suporte via samba <samba at lists.samba.org> wrote:
> Hello Everyone,
>
> Good evening!
>
>
>
> Here a Background:
>
> I am moving from samba47 to samba48 - I am keeping my existing scripts
> and config files.
>
> The messages below are now appearing while executing some tasks in
> samba48 only - samba47 is not showing it:
>
>
>
> #Unknown parameter encountered: "use spnego"
>
> #Ignoring unknown parameter "use spnego"
>
> #Unknown parameter encountered: "use spnego"
>
> #Ignoring unknown parameter "use spnego"
>
>
>
> Question: is the "use spnego" deprecated for samba48? If so, what is
> replacing it?
>
>
>
> Here my smb4.conf file:
>
> ###############################
>
>
>
> [global]
>
> workgroup = MYDOMAIN
>
> map to guest = never
>
> logon path = \\%L\profiles\.msprofile
>
> logon home = \\%L\%U\.9xprofile
>
> logon drive = P:
>
> usershare allow guests = no
>
> client NTLMv2 auth = yes
>
> client lanman auth = no
>
> client plaintext auth = no
>
> use spnego = yes
>
> client use spnego = yes
>
> min protocol = LANMAN2
>
> idmap gid = 10000-20000
>
> idmap uid = 10000-20000
>
> realm = MYDOMAIN.CORP
>
> security = ads
>
> template homedir = /home/%D/%U
>
> template shell = /bin/bash
>
> winbind offline logon = yes
>
> winbind refresh tickets = yes
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> winbind nested groups = yes
>
> winbind use default domain = yes
>
> encrypt passwords = yes
>
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>
> log level = 3 passdb:5 winbind:3
>
> usershare allow guests = no
>
> printcap name = /dev/null
>
> load printers = no
>
> printing = bsd
>
> local master = no
>
> kerberos method = secrets and keytab
>
> winbind refresh tickets = yes
>
>
>
>
>
> [homes]
>
> comment = Home Directories
>
> valid users = %s, %D%W%S
>
> browseable = no
>
> read only = no
>
> inherit acls = yes
>
>
>
> ###############################
>
> Thanks Much!
>
>
>
> Fabricio.
>
OK, you multiple default lines in your smb.conf, these are:
map to guest = never
usershare allow guests = no
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
client use spnego = yes
template homedir = /home/%D/%U
winbind nested groups = yes
encrypt passwords = yes
usershare allow guests = no
You might as well remove them.
The following lines are not much use in a Unix domain member smb.conf, they don't work with AD:
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
So you might as well remove them as well,
These two lines slow things down and are not actually needed:
winbind enum users = yes
winbind enum groups = yes
You might as well remove them as well.
'use spnego' was remove at 4.8.0, so you must remove this line
You should also remove the 'socket options' line, you should let your kernal sort this for you.
Finally 'idmap gid' and 'idmap uid' have been deprecated for quite some time and have been replaced by 'idmap config' lines, so with all the removals etc, can I suggest you try this smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.CORP
security = ads
min protocol = LANMAN2 # Do really need this ?
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-20000
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind use default domain = yes
log level = 3 passdb:5 winbind:3
printcap name = /dev/null
load printers = no
printing = bsd
local master = no
kerberos method = secrets and keytab
[homes]
comment = Home Directories
valid users = %s, %D%W%S
browseable = no
read only = no
inherit acls = yes
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list